How to Resolve SAP GRC Risks (With Real Project Examples) - SAP SECURITY

SAP SECURITY

Practical SAP Security & GRC Tutorials | S/4HANA | SU24 | SU25 | Fiori | GRC

How to Resolve SAP GRC Risks (With Real Project Examples)

by

How to Resolve SAP GRC Risks (With Real Project Examples)

In SAP Governance, Risk, and Compliance, risks are usually detected during Segregation of Duties (SoD) analysis. These risks occur when a user has access to conflicting transactions that could allow fraud or unauthorized activity.

Security and GRC consultants must analyze these risks and apply the correct mitigation strategy.

Below are common ways to resolve SAP GRC risks with real-world examples.

1. Remove the Conflicting Access (Most Recommended)

The safest way to resolve a risk is to remove one of the conflicting transactions or roles.

Example

Risk identified in SAP Access Control:

RiskTransactions
Create Vendor & Pay VendorXK01 + F110

Issue

User can:

  • Create vendor master

  • Run payment program

This creates a fraud risk because the same user could create a fake vendor and process payment.

Resolution

Remove one access:

Remove XK01 from role
OR
Remove F110 access

Now the risk disappears during GRC analysis.

2. Role Redesign

Sometimes risks occur because roles are badly designed.

Example

Role FI_AP_CLERK contains:

FB60 – Post Vendor Invoice
F110 – Automatic Payment

This creates SoD conflict.

Resolution

Split roles:

Role 1 – AP Invoice Processing
FB60
MIRO

Role 2 – Payment Processing
F110
F111

Now users receive only the role required for their job.

3. Mitigation Control (When Access Cannot Be Removed)

Sometimes business requires both accesses.

Example:

Finance manager needs:

FB60 – Post Invoice
F110 – Run Payment

Removing access may impact operations.

In this case, apply Mitigation Control in SAP Access Control.

Example Mitigation

Control ID:

FIN_MIT_001
Monthly review of payment logs

Mitigator (manager) reviews:

  • Payment reports

  • Vendor transactions

  • Audit logs

If approved, risk remains but is controlled.

4. Organizational Level Restriction

Sometimes risk exists because user has wide organizational access.

Example:

Risk:

Create Vendor
Post Vendor Invoice

But business requirement is limited to one company code.

Resolution

Restrict authorization objects:

F_BKPF_BUK
BUKRS = 1000

Now user can perform activity only for company code 1000.

This reduces risk exposure.

5. Firefighter Access (Emergency Access)

Sometimes risks occur only for temporary support tasks.

Instead of giving permanent access, use Firefighter ID in SAP Access Control.

Example

Production issue requires access to:

SE16
SU01
PFCG

Instead of assigning roles permanently:

Process:

  1. User requests firefighter access

  2. Access granted temporarily

  3. Activity logs captured

  4. Controller reviews logs

This prevents long-term SoD conflicts.

6. Risk Acceptance

In rare situations, risk may be accepted by business.

Example:

Small organization where finance team has only one person.

Risk:

Create Vendor + Pay Vendor

Since separation of duties is not possible, risk is formally accepted.

Documentation includes:

  • Business justification

  • Risk acceptance approval

  • Periodic audit review

Example of Complete Risk Resolution Scenario

User: AP Manager
System: SAP S/4HANA

Detected Risk:

Post Vendor Invoice (FB60)
Execute Payment (F110)

Analysis

User role contains:

Z_AP_MANAGER
Z_PAYMENT_PROCESS

Solution

Option implemented:

Remove payment role
Assign invoice processing role only

OR

If business requires both:

Apply mitigation control
Quarterly audit review

Best Practices for GRC Risk Resolution

✔ Always analyze business requirement before removing access
✔ Avoid giving broad roles to users
✔ Design roles based on job functions
✔ Use mitigation only when absolutely necessary
✔ Document all accepted risks

Conclusion

Resolving risks in SAP Governance, Risk, and Compliance requires a balance between security and business operations. The most effective solutions include removing conflicting access, redesigning roles, restricting organizational levels, or applying mitigation controls.

A skilled SAP Security consultant must carefully evaluate each risk and implement the appropriate resolution strategy to maintain compliance and system integrity.

By

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)